Re: cgnat - how do you handle customer issues

2018-02-27 Thread Owen DeLong 
There’s also the issue of what a customer who needs something like GRE or IKE 
to work does from behind a CGNAT where there aren’t port numbers available for 
multiplexing.

Owen

> On Feb 27, 2018, at 2:42 PM, Lee Howard <l...@asgard.org> wrote:
> 
> 
> 
> On 02/27/2018 12:52 PM, Aaron Gould wrote:
>> Thanks
>> 
>>  
>> For #2 – what if the ports allocated aren’t enough for the amount of inet 
>> traffic the customer site uses ?  …is the customer denied service based on 
>> insufficient port range ?  …or are they assigned another block within that 
>> some ip’s range of I think it’s 0-64k or 1025-64k… but how far can you take 
>> that before there aren’t anymore port blocks left on that single ip ?  …and 
>> if you have to allocate that customer another port block from a *different* 
>> ip, then we are in the situation of the bank website not liking the fact 
>> that the session is bouncing to a different ip maybe ?
> 
> 
> Yes, common problem, and the session just fails (TCY SYN dropped) because of 
> insufficient ports.
> Most CGNs allow you to configure a range of ports for a customer, and reserve 
> an additional range if they need more ports. Yes, if you allocate 1000 ports 
> for one IPv4 address to each of 50 customers and they all need hundreds more 
> ports than that, you're going to run out of ports and connections fail.
> 
> This is why you have IPv6. Even while many web sites and apps don't support 
> IPv4, enough do that it relieves some pressure on your CGN.
> 
> Lee
>>  
>> - Aaron
>> 
>>  
>> From: Michael Crapse [mailto:mich...@wi-fiber.io]
>> Sent: Tuesday, February 27, 2018 11:19 AM
>> To: Mike Hammett
>> Cc: Aaron Gould; NANOG list
>> Subject: Re: cgnat - how do you handle customer issues
>> 
>>  
>> For number 2, I'm a fan of what mike suggests. I believe the technical term 
>> is MAP-T.
>> For number 1, anyone who wants one, gets one. We provide free public static 
>> IP to any customer who asks for one. Another solution, using above solution 
>> is to ask them which ports they need, and forward those to them using a port 
>> within their assign range. i.e. teach them how to access their home web 
>> server using a different port(say 32424, or similar). This won't solve all 
>> the issues, which is why we use solution 1.
>> 
>>  
>> On 27 February 2018 at 09:32, Mike Hammett <na...@ics-il.net> wrote:
>> 
>> I'm a fan of nailing each customer IP to a particular range of ports on a 
>> given public IP. Real easy to track who did what and to prevent shifting IPs.
>> 
>> 
>> 
>> 
>> -
>> Mike Hammett
>> Intelligent Computing Solutions
>> 
>> Midwest Internet Exchange
>> 
>> The Brothers WISP
>> 
>> - Original Message -
>> 
>> From: "Aaron Gould" <aar...@gvtc.com>
>> To: Nanog@nanog.org
>> Sent: Tuesday, February 27, 2018 10:30:21 AM
>> Subject: cgnat - how do you handle customer issues
>> 
>> 
>> Couple questions please. When you put thousands of customers behind a cgnat
>> boundary, how do you all handle customer complaints about the following.
>> 
>> 
>> 
>> 1 - for external connectivity to the customers premise devices, not being
>> able to access web servers, web cameras, etc, in their premises?
>> 
>> 
>> 
>> 2 - from the premise natted device, when customers go to a university or
>> bank web site, how do you handle randomly changing ip addresses/ports that
>> may occur due to idle time and session tear-down in nat table such that the
>> bank website has issues with seeing your session ip change?
>> 
>> 
>> 
>> 
>> 
>> -Aaron
>> 
>> 
>> 
>>  
>>

Re: cgnat - how do you handle customer issues

2018-02-27 Thread Lee Howard 



On 02/27/2018 12:52 PM, Aaron Gould wrote:

Thanks

  


For #2 – what if the ports allocated aren’t enough for the amount of inet 
traffic the customer site uses ?  …is the customer denied service based on 
insufficient port range ?  …or are they assigned another block within that some 
ip’s range of I think it’s 0-64k or 1025-64k… but how far can you take that 
before there aren’t anymore port blocks left on that single ip ?  …and if you 
have to allocate that customer another port block from a *different* ip, then 
we are in the situation of the bank website not liking the fact that the 
session is bouncing to a different ip maybe ?



Yes, common problem, and the session just fails (TCY SYN dropped) 
because of insufficient ports.
Most CGNs allow you to configure a range of ports for a customer, and 
reserve an additional range if they need more ports. Yes, if you 
allocate 1000 ports for one IPv4 address to each of 50 customers and 
they all need hundreds more ports than that, you're going to run out of 
ports and connections fail.


This is why you have IPv6. Even while many web sites and apps don't 
support IPv4, enough do that it relieves some pressure on your CGN.


Lee
  


- Aaron

  


From: Michael Crapse [mailto:mich...@wi-fiber.io]
Sent: Tuesday, February 27, 2018 11:19 AM
To: Mike Hammett
Cc: Aaron Gould; NANOG list
Subject: Re: cgnat - how do you handle customer issues

  


For number 2, I'm a fan of what mike suggests. I believe the technical term is 
MAP-T.
For number 1, anyone who wants one, gets one. We provide free public static IP 
to any customer who asks for one. Another solution, using above solution is to 
ask them which ports they need, and forward those to them using a port within 
their assign range. i.e. teach them how to access their home web server using a 
different port(say 32424, or similar). This won't solve all the issues, which 
is why we use solution 1.

  


On 27 February 2018 at 09:32, Mike Hammett <na...@ics-il.net> wrote:

I'm a fan of nailing each customer IP to a particular range of ports on a given 
public IP. Real easy to track who did what and to prevent shifting IPs.




-
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

- Original Message -

From: "Aaron Gould" <aar...@gvtc.com>
To: Nanog@nanog.org
Sent: Tuesday, February 27, 2018 10:30:21 AM
Subject: cgnat - how do you handle customer issues


Couple questions please. When you put thousands of customers behind a cgnat
boundary, how do you all handle customer complaints about the following.



1 - for external connectivity to the customers premise devices, not being
able to access web servers, web cameras, etc, in their premises?



2 - from the premise natted device, when customers go to a university or
bank web site, how do you handle randomly changing ip addresses/ports that
may occur due to idle time and session tear-down in nat table such that the
bank website has issues with seeing your session ip change?





-Aaron

Re: cgnat - how do you handle customer issues

2018-02-27 Thread Lee Howard 



On 02/27/2018 11:30 AM, Aaron Gould wrote:

Couple questions please. When you put thousands of customers behind a cgnat
boundary, how do you all handle customer complaints about the following.

  


1 - for external connectivity to the customers premise devices, not being
able to access web servers, web cameras, etc, in their premises?

For web servers, you gently remind them of their ToS, and offer to 
upgrade them to a business account.


You offer to upgrade them to native IPv4, for a fee, and suggest they 
contact the manufacturer to see why it doesn't support IPv6.

I've heard of PCP for this, but never seen it in production on CPE.

I saw an early prototype of DS-Lite that included a customer portal that 
would allow the customer to enable port forwarding, but I can't imagine 
trying to walk a customer through two layers of port forwarding.


Most of these consumer electronics devices long ago started using 
ICE/TURN/STUN, and/or the company's web portal as their external 
communication platform. Doesn't mean all of them do.




2 - from the premise natted device, when customers go to a university or
bank web site, how do you handle randomly changing ip addresses/ports that
may occur due to idle time and session tear-down in nat table such that the
bank website has issues with seeing your session ip change?

  



You can extend your idle timers, of course, but only so much before 
you're squatting on all your ports.
After that, it's down to explaining to the university, bank, etc. that 
they need IPv6 if they want their web site to be reachable. Or at least 
they need to extend their idle timers.


Lee



  


-Aaron

Re: cgnat - how do you handle customer issues

2018-02-27 Thread Chris Gross 
I utilize A10 CGNAT that allows dynamic NAT logging, since we're in a similar 
boat of utilization.

This email has been sent from my phone. Please excuse any brevity, typos, or 
lack of formality.

From: Aaron Gould <aar...@gvtc.com>
Sent: Tuesday, February 27, 2018 12:54
To: 'Michael Crapse'; 'Mike Hammett'
Cc: 'NANOG list'
Subject: RE: cgnat - how do you handle customer issues

Thanks



For #2 – what if the ports allocated aren’t enough for the amount of inet 
traffic the customer site uses ?  …is the customer denied service based on 
insufficient port range ?  …or are they assigned another block within that some 
ip’s range of I think it’s 0-64k or 1025-64k… but how far can you take that 
before there aren’t anymore port blocks left on that single ip ?  …and if you 
have to allocate that customer another port block from a *different* ip, then 
we are in the situation of the bank website not liking the fact that the 
session is bouncing to a different ip maybe ?



- Aaron



From: Michael Crapse [mailto:mich...@wi-fiber.io]
Sent: Tuesday, February 27, 2018 11:19 AM
To: Mike Hammett
Cc: Aaron Gould; NANOG list
Subject: Re: cgnat - how do you handle customer issues



For number 2, I'm a fan of what mike suggests. I believe the technical term is 
MAP-T.
For number 1, anyone who wants one, gets one. We provide free public static IP 
to any customer who asks for one. Another solution, using above solution is to 
ask them which ports they need, and forward those to them using a port within 
their assign range. i.e. teach them how to access their home web server using a 
different port(say 32424, or similar). This won't solve all the issues, which 
is why we use solution 1.



On 27 February 2018 at 09:32, Mike Hammett <na...@ics-il.net> wrote:

I'm a fan of nailing each customer IP to a particular range of ports on a given 
public IP. Real easy to track who did what and to prevent shifting IPs.




-
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

- Original Message -

From: "Aaron Gould" <aar...@gvtc.com>
To: Nanog@nanog.org
Sent: Tuesday, February 27, 2018 10:30:21 AM
Subject: cgnat - how do you handle customer issues


Couple questions please. When you put thousands of customers behind a cgnat
boundary, how do you all handle customer complaints about the following.



1 - for external connectivity to the customers premise devices, not being
able to access web servers, web cameras, etc, in their premises?



2 - from the premise natted device, when customers go to a university or
bank web site, how do you handle randomly changing ip addresses/ports that
may occur due to idle time and session tear-down in nat table such that the
bank website has issues with seeing your session ip change?





-Aaron

RE: cgnat - how do you handle customer issues

2018-02-27 Thread Aaron Gould 
Thanks

 

For #2 – what if the ports allocated aren’t enough for the amount of inet 
traffic the customer site uses ?  …is the customer denied service based on 
insufficient port range ?  …or are they assigned another block within that some 
ip’s range of I think it’s 0-64k or 1025-64k… but how far can you take that 
before there aren’t anymore port blocks left on that single ip ?  …and if you 
have to allocate that customer another port block from a *different* ip, then 
we are in the situation of the bank website not liking the fact that the 
session is bouncing to a different ip maybe ?

 

- Aaron

 

From: Michael Crapse [mailto:mich...@wi-fiber.io] 
Sent: Tuesday, February 27, 2018 11:19 AM
To: Mike Hammett
Cc: Aaron Gould; NANOG list
Subject: Re: cgnat - how do you handle customer issues

 

For number 2, I'm a fan of what mike suggests. I believe the technical term is 
MAP-T.
For number 1, anyone who wants one, gets one. We provide free public static IP 
to any customer who asks for one. Another solution, using above solution is to 
ask them which ports they need, and forward those to them using a port within 
their assign range. i.e. teach them how to access their home web server using a 
different port(say 32424, or similar). This won't solve all the issues, which 
is why we use solution 1.

 

On 27 February 2018 at 09:32, Mike Hammett <na...@ics-il.net> wrote:

I'm a fan of nailing each customer IP to a particular range of ports on a given 
public IP. Real easy to track who did what and to prevent shifting IPs.




-
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

- Original Message -

From: "Aaron Gould" <aar...@gvtc.com>
To: Nanog@nanog.org
Sent: Tuesday, February 27, 2018 10:30:21 AM
Subject: cgnat - how do you handle customer issues


Couple questions please. When you put thousands of customers behind a cgnat
boundary, how do you all handle customer complaints about the following.



1 - for external connectivity to the customers premise devices, not being
able to access web servers, web cameras, etc, in their premises?



2 - from the premise natted device, when customers go to a university or
bank web site, how do you handle randomly changing ip addresses/ports that
may occur due to idle time and session tear-down in nat table such that the
bank website has issues with seeing your session ip change?





-Aaron

Re: cgnat - how do you handle customer issues

2018-02-27 Thread Michael Crapse 
For number 2, I'm a fan of what mike suggests. I believe the technical term
is MAP-T.
For number 1, anyone who wants one, gets one. We provide free public static
IP to any customer who asks for one. Another solution, using above solution
is to ask them which ports they need, and forward those to them using a
port within their assign range. i.e. teach them how to access their home
web server using a different port(say 32424, or similar). This won't solve
all the issues, which is why we use solution 1.

On 27 February 2018 at 09:32, Mike Hammett  wrote:

> I'm a fan of nailing each customer IP to a particular range of ports on a
> given public IP. Real easy to track who did what and to prevent shifting
> IPs.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
>
> Midwest Internet Exchange
>
> The Brothers WISP
>
> - Original Message -
>
> From: "Aaron Gould" 
> To: Nanog@nanog.org
> Sent: Tuesday, February 27, 2018 10:30:21 AM
> Subject: cgnat - how do you handle customer issues
>
> Couple questions please. When you put thousands of customers behind a cgnat
> boundary, how do you all handle customer complaints about the following.
>
>
>
> 1 - for external connectivity to the customers premise devices, not being
> able to access web servers, web cameras, etc, in their premises?
>
>
>
> 2 - from the premise natted device, when customers go to a university or
> bank web site, how do you handle randomly changing ip addresses/ports that
> may occur due to idle time and session tear-down in nat table such that the
> bank website has issues with seeing your session ip change?
>
>
>
>
>
> -Aaron
>
>
>

Re: cgnat - how do you handle customer issues

2018-02-27 Thread Mike Hammett 
I'm a fan of nailing each customer IP to a particular range of ports on a given 
public IP. Real easy to track who did what and to prevent shifting IPs. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Aaron Gould"  
To: Nanog@nanog.org 
Sent: Tuesday, February 27, 2018 10:30:21 AM 
Subject: cgnat - how do you handle customer issues 

Couple questions please. When you put thousands of customers behind a cgnat 
boundary, how do you all handle customer complaints about the following. 



1 - for external connectivity to the customers premise devices, not being 
able to access web servers, web cameras, etc, in their premises? 



2 - from the premise natted device, when customers go to a university or 
bank web site, how do you handle randomly changing ip addresses/ports that 
may occur due to idle time and session tear-down in nat table such that the 
bank website has issues with seeing your session ip change? 





-Aaron